Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN + quagga OSPF Need some help

    Scheduled Pinned Locked Moved pfSense Packages
    13 Posts 2 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      d83
      last edited by

      Hello,

      I have tried to follow the PfSense book "OpenVPN Site-to-Site with Multi-WAN and OSPF". Through packet capture I can see the "Hello" coming in,  it looks like this

      Packet capture interface set to "main"

      Main VPN

      14:35:29.551867 IP 192.168.88.2 > 224.0.0.5: OSPFv2, Hello, length 48
      14:35:34.446163 IP 192.168.88.1 > 224.0.0.5: OSPFv2, Hello, length 48

      Packet capture interface set to "At&t"

      At&t VPN

      14:36:54.374149 IP 192.168.44.1 > 224.0.0.5: OSPFv2, Hello, length 48
      14:37:00.399990 IP 192.168.44.2 > 224.0.0.5: OSPFv2, Hello, length 48

      My question is why can I not get a neighborhood to establish? When I go to Services / Quagga OSPF / Status there is nothing in Quagga OSPF General, Quagga OSPF Neighbors, Quagga OSPF Database, Quagga OSPF Router Database, Quagga OSPF Routes, Quagga Zebra Routes, Quagga OSPF Interfaces, Quagga OSPF CPU Usage, and Quagga OSPF CPU Usage.

      Quagga ospfd.conf for Office A is

      This file was created by the pfSense package manager.  Do not edit!

      password 1234
      interface ovpns1
        ip ospf cost 10
        ip ospf hello-interval 10
        ip ospf retransmit-interval 6
        ip ospf dead-interval 40
      interface ovpns3
        ip ospf cost 20
        ip ospf hello-interval 11
        ip ospf retransmit-interval 7
        ip ospf dead-interval 41
      interface igb0

      router ospf
        ospf router-id 192.168.1.1
        passive-interface igb0
        network 192.168.88.0/30 area 0.0.0.0
        network 192.168.44.0/30 area 0.0.0.0
        network 192.168.1.0/24 area 0.0.0.0

      Quagga zebra.conf

      This file was created by the pfSense package manager.  Do not edit!

      password 1234

      ip prefix-list ACCEPTFILTER deny 192.168.88.0/30
      ip prefix-list ACCEPTFILTER deny 192.168.44.0/30
      ip prefix-list ACCEPTFILTER deny 192.168.1.0/24
      ip prefix-list ACCEPTFILTER permit any
      route-map ACCEPTFILTER permit 10
      match ip address prefix-list ACCEPTFILTER
      ip protocol ospf route-map ACCEPTFILTER

      Quagga ospfd.conf for Office B is

      This file was created by the pfSense package manager.  Do not edit!

      password 1234
      interface ovpnc1
        ip ospf cost 10
        ip ospf hello-interval 10
        ip ospf retransmit-interval 6
        ip ospf dead-interval 40
      interface ovpnc3
        ip ospf cost 20
        ip ospf hello-interval 11
        ip ospf retransmit-interval 7
        ip ospf dead-interval 41
      interface igb0

      router ospf
        ospf router-id 192.168.10.1
        passive-interface igb0
        network 192.168.88.0/30 area 0.0.0.0
        network 192.168.44.0/30 area 0.0.0.0
        network 192.168.10.0/24 area 0.0.0.0

      Quagga zebra.conf

      This file was created by the pfSense package manager.  Do not edit!

      password 1234
      ip prefix-list ACCEPTFILTER deny 192.168.88.0/30
      ip prefix-list ACCEPTFILTER deny 192.168.44.0/30
      ip prefix-list ACCEPTFILTER deny 192.168.10.0/24
      ip prefix-list ACCEPTFILTER permit any
      route-map ACCEPTFILTER permit 10
      match ip address prefix-list ACCEPTFILTER
      ip protocol ospf route-map ACCEPTFILTER

      Can anyone see what I could be doing wrong?

      1 Reply Last reply Reply Quote 0
      • S Offline
        Soyokaze
        last edited by

        What do you mean by " there is nothing in Quagga OSPF General "? If there is literally nothing - when your Q/Z is not running at all.
        If there is "something" (eg diagnostic info) but OSPF cant establish link…
        1st: enable both logging options (will be in system logs - routing)
        2nd: don't mangle with hello/retransmit/dead, leave them at defaults. If you REALLY want to play with them - do this AFTER you will get OSPF working
        3rd: remove ACCEPT filters, you don't need them, at least now.
        4th: start with 1 openvpn interface, after you will make it run - add second. This will be much simpler for you to configure and diagnose. Maybe you just mismatching your VPN links and attempting to configure mismatching hello/dead intervals, which is a NO-NO.

        Need full pfSense in a cloud? PM for details!

        1 Reply Last reply Reply Quote 0
        • S Offline
          Soyokaze
          last edited by

          OR you messed up something while tinkering and zebra with opsf now running with other password, or they just are dead.
          If you can - rebuild ospf configuration from scratch, with package remove/reinstall.

          Need full pfSense in a cloud? PM for details!

          1 Reply Last reply Reply Quote 0
          • S Offline
            Soyokaze
            last edited by

            Config looks fine for me.

            Need full pfSense in a cloud? PM for details!

            1 Reply Last reply Reply Quote 0
            • S Offline
              Soyokaze
              last edited by

              Well, it found  a neighbor, so it works.
              BUT if you still unable to get diag info - you better rebuild it, to be able to see what's going on.
              You got same problem on second router?

              Need full pfSense in a cloud? PM for details!

              1 Reply Last reply Reply Quote 0
              • S Offline
                Soyokaze
                last edited by

                I have ospfd/zebra running on pfs from ~2.1.3 to 2.3.1, all show diag without problems.

                Jun 21 16:22:00  ospfd  1267  nsm_change_state(192.168.1.1, Loading -> Full): scheduling new router-LSA origination
                Jun 21 16:22:01  ospfd  1267  SPF Processing Time(usecs): External Routes: 6
                Jun 21 16:22:14  ospfd  1267  nsm_change_state(192.168.1.1, Full -> Init): scheduling new router-LSA origination
                Jun 21 16:22:14  ospfd  1267  SPF: Scheduled in 0 msec
                Jun 21 16:22:15  ospfd  1267  SPF Processing Time(usecs): External Routes: 10
                Jun 21 16:22:23  ospfd  1267  Packet[DD]: Neighbor 192.168.1.1: Initial DBD from Slave, ignoring.
                Jun 21 16:22:23  ospfd  1267  Packet[DD]: Neighbor 192.168.1.1 Negotiation done (Master).
                Jun 21 16:22:23  ospfd  1267  nsm_change_state(192.168.1.1, Exchange -> Full): scheduling new router-LSA origination

                Yep, it works. If you defined local/remote networks in OpenVPN configuration - you can remove them now and have routes pushed from ospfd.

                But still - without status info available you are swimming blindfolded. You can still get this info from shell but wouldn't call that comfortable.

                Need full pfSense in a cloud? PM for details!

                1 Reply Last reply Reply Quote 0
                • S Offline
                  Soyokaze
                  last edited by

                  Oddly, all my settings where still remembered

                  They are stored in config.xml of pfSense.

                  Do you see status info after rebuild? If yes, in "Quagga OSPF Neighbors" you should see Router ID of other router.
                  And most important for you is "Quagga Zebra Routes", there should be routes (prepended by O>) to your LAN on other router.
                  OpenVPN links are directly connected, so their networks would show up anyway.

                  Need full pfSense in a cloud? PM for details!

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    Soyokaze
                    last edited by

                    …
                    Rebuild both pfSenses from scratch?
                    Or learn how to get info from shell.

                    Need full pfSense in a cloud? PM for details!

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      Soyokaze
                      last edited by

                      Not quite.
                      Tunnel network is necessary for tunnel to function, so you should not remove it.
                      But remote and local networks could be removed (and better be, because they will override OSPF routing).
                      Key point to understand - after both of your OSPF routers paired - they should have information WHICH networks to announce.
                      In your case you provided this info through config:
                      interface igb0
                      network 192.168.1.0/24 area 0.0.0.0

                      Need full pfSense in a cloud? PM for details!

                      1 Reply Last reply Reply Quote 0
                      • S Offline
                        Soyokaze
                        last edited by

                        1. Show your Zebra routes and system routing table
                        2. Check firewall rules on OpenVPN tab - better have ANY to ANY until you got it working.
                        3. If you have 2 openvpn connections between 2 routers - you will have troubles. Adjust cost for tunnels, so then they are both live - one would be preffered.

                        Need full pfSense in a cloud? PM for details!

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          Soyokaze
                          last edited by

                          Please, draw a network scheme (with interface names and ip/subnets).

                          Need full pfSense in a cloud? PM for details!

                          1 Reply Last reply Reply Quote 0
                          • S Offline
                            Soyokaze
                            last edited by

                            Well, it is clear now.
                            You write:

                            The other night I was able to disconnect the main WAN (Charter) in the main office and was able to ping over to the remote office.
                            However, I was not able to ping from the remote office back to the main office.

                            But if you look at routing table at branch, you will see

                            K>* 192.168.1.0/24 via 192.168.88.1, ovpnc1

                            So remote office still thinks what it should send packets to main office through OpenVPN tunnel which terminates at Charter.
                            Also, K> says what this route did not came from OSPF (though O  192.168.1.0/24 [110/20] via 192.168.88.1, ovpnc1, 14:29:15 tells OSPF thinks same).

                            If you haven't statically assign route in 192.168.88.0 tunnel, than you can try to enable "Don't pull routes" on VPN configuration.

                            I have exactly same situation sometimes, but I didn't found the perfect solution, nor cause. Default configuration for OpenVPN contains ping-restart directive, which should reset OpenVPN tunnel in case of lost connection (and drop assigned routes in process), but this doesn't happen.

                            Can you create a thread in VPN board, citing your last two posts and this one? Maybe someone could help both us…

                            Need full pfSense in a cloud? PM for details!

                            1 Reply Last reply Reply Quote 0
                            • D Offline
                              d83
                              last edited by

                              Can anyone suggest where I get help with this problem? I really need this to get fixed.  Different forum?

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.